This is not current Splunk documentation.
Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.

« Previous | Table of Contents | Next »

Splunk User Manual (Splunk v2.0)

Faster Splunking Tricks

Set a Timerange

Splunk partitions its indexes by timestamp both in memory and on disk. So the smaller the range between start and end times in a splunk of the same index, the smaller the amount of RAM or disk the server will need to read, and the faster it will finish. The minutesago::, hoursago:: and daysago:: modifiers are quick ways to reduce the length of a search.

« Previous | Table of Contents | Next »

Comments

No comments have been submitted.

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink:

Browse all videos » « Close window and return to article